b"United States Department of Agriculture\nOffice of Inspector General\n\n\n\n\nReview of Selected Controls at the\nNational Information Technology Center\n\n\n\n\n                                          Audit Report 88401-0001-11\n                                          September 2012\n\x0c                          United States Department of Agriculture\n                                  Office of Inspector General\n                                    Washington, D.C. 20250\n\n\n\n\nDATE:          September 26, 2012\n\nAUDIT\nNUMBER:        88401-01-11\n\nTO:            Cheryl Cook\n               Acting Chief Information Officer\n               Office of the Chief Information Officer\n\nATTN:          Denice Lotson\n               Audit Liaison Officer\n               Office of the Chief Information Officer\n\nFROM:          Gil H. Harden\n               Assistant Inspector General\n                 for Audit\n\nSUBJECT:       Review of Selected Controls at the National Information Technology Center\n\n\nThis report presents the results of the subject review. Your written response is included in its\nentirety in the report. Excerpts of your response and the Office of Inspector General\xe2\x80\x99s position\nare incorporated into the applicable sections of the report.\n\nWe accept management decision for Recommendation 1, noted in the report. In accordance with\nDepartmental Regulation 1720-1, final action needs to be taken within 1 year of each\nmanagement decision to prevent being listed in the Department\xe2\x80\x99s annual Performance and\nAccountability Report. In regard to Recommendations 2 and 3, please furnish a reply within 60\ndays describing the corrective actions taken or planned, and timeframes for implementing the\nrecommended actions. Please note that the regulation requires management decision to be\nreached on all recommendations within 6 months from the report issuance.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\naudit fieldwork and subsequent discussions.\n\x0c\x0cTable of Contents\n\nExecutive Summary .................................................................................................1\nBackground and Objectives ....................................................................................3\nSection 1: Selected IT Controls Need Strengthening...........................................4\n   Finding 1: Selected IT Controls Need Strengthening ......................................4\n         Recommendation 1 ........................................................................................5\n         Recommendation 2 ........................................................................................5\n         Recommendation 3 ........................................................................................5\nScope and Methodology ...........................................................................................6\nAbbreviations ...........................................................................................................7\nExhibit A: Office of Inspector General Tests of the Office of the Chief\nInformation Officer/National Information Technology Center Controls ..........8\nAgency\xe2\x80\x99s Response .................................................................................................14\n\x0cReview of Selected Controls at the National Information Technology\nCenter (88401-0001-11)\n\nExecutive Summary\nThis report presents the results of our review of selected controls at the Office of the Chief\nInformation Officer/National Information Technology Center (OCIO/NITC). Specifically, our\nreview was to assess whether selected controls at OCIO/NITC were in place and operating\neffectively in support of key Department of Agriculture (USDA) financial systems from\nOctober 1, 2011, through July 1, 2012, with a focus on the production and backup environments\nfor the Office of the Chief Financial Officer/National Finance Center\xe2\x80\x99s (OCFO/NFC) EmpowHR\napplication.1\n\nOCIO/NITC\xe2\x80\x99s mission is to provide reliable and cost effective information technology solutions\nto achieve mission performance and program delivery for its USDA and non-USDA customers.\nAs a customer of OCIO/NITC, OCFO/NFC relies on the effectiveness of the controls tested\nduring our review.\n\nWe identified three exceptions during the course of our review. The following summarizes the\nexceptions identified in Finding 1 of this report.\n\n    \xc2\xb7   OCIO/NITC had not developed formal, documented policy and procedures for incident\n        response, but instead relied on policy and procedures created for a separate entity.\n\n    \xc2\xb7   OCIO/NITC did not track critical vulnerability mitigation actions identified through\n        monthly scanning through the use of Plan of Action and Milestones (POA&M). While\n        we found that OCIO/NITC did use an internal system to track and remediate identified\n        vulnerabilities, it did not meet Departmental guidelines for the Federal Information\n        Security Management Act reporting.\n\n    \xc2\xb7   The alternate processing site at the George Washington Carver Center in Beltsville,\n        Maryland, did not provide adequate protection from water damage.\n\n\n\n\n1\n  EmpowHR is a web-based human resource system for personnel action processing, position management, and\ntraining.\n\n\n                                                                    AUDIT REPORT 88401-0001-11             1\n\x0cRecommendation Summary\nWe recommended that OCIO/NITC:\n\n    \xc2\xb7    Develop and implement formal documented incident response policy and procedures.\n\n    \xc2\xb7    Implement the Department\xe2\x80\x99s POA&M process for critical vulnerabilities existing more\n         than 30 days or, alternatively, obtain a waiver.\n\n    \xc2\xb7    Develop and implement compensating controls to mitigate the risk of water damage at\n         the George Washington Carver Data Center.\n\nAgency Response\nOCIO/NITC concurs with the finding and recommendations included in the report and has\ndeveloped a plan of specific action to address Recommendation 1 including estimated\ncompletion dates. Additionally, OCIO/NITC concurs with Recommendations 2 and 3 and is\ncurrently identifying and evaluating options to ensure compliance with FISMA reporting\nrequirements, and implementing compensating controls to mitigate the risk of water damage,\nrespectively.\nOIG Position\nWe accept management decision on Recommendation 1 presented in the report. With regard to\nRecommendations 2 and 3, management decision should be achievable upon review of the\nspecific plans and timeframes for corrective action.\n\n\n\n\n2       AUDIT REPORT 88401-0001-11\n\x0cBackground and Objectives\n\nBackground\nThe Office of the Chief Information Officer/National Information Technology Center\n(OCIO/NITC) has provided services as a federated data center2 since 1973. Its mission is to\nprovide reliable and cost-effective information technology solutions to achieve effective mission\nperformance and program delivery for the Department of Agriculture (USDA), its agencies, and\nother clients. OCIO/NITC operates a Level IV data center, which utilizes state-of-the-art,\nenterprise class infrastructure technologies to deliver optimal yet cost effective solutions.\nOCIO/NITC\xe2\x80\x99s secure information technology infrastructure consists of virtualized mainframe\nand midrange platforms, as well as virtualized network and storage infrastructure. The systems\nand applications managed by OCIO/NITC are national in scope, mission critical, and essential\nfor the operations of the United States Government. Data center services include infrastructure\nas a service, platform as a service, managed hosting, and professional services.\n\nOCIO/NITC provides managed hosting services to many customers, internal and external to\nUSDA, including the Office of the Chief Financial Officer/National Finance Center\n(OCFO/NFC). As a provider of payroll/personnel and application hosting for all of USDA, as\nwell as approximately 130 non-USDA government entities, NFC is subject to an annual\nStatement on Standards for Attestation Engagements (SSAE) No. 16 Controls review. That\nreview identifies OCIO/NITC as a subservice provider of NFC. The services provided include\nhosting hardware/software associated with the production and backup environments of NFC\xe2\x80\x99s\npersonnel system, EmpowHR, to include access controls, configuration management, and\ncontingency planning. The result of the SSAE 16 review, along with results of testing at any\nagency subservice provider, has a significant impact on the financial statements of user agencies.\nFinancial data processed by the NFC, along with additional agency-specific financial systems\nhosted by OCIO/NITC, are material to the financial statements; therefore, the controls over those\nsystems play an integral part in assessing the completeness, accuracy, and integrity of USDA\nfinancial data.\n\nObjective\nThe objective of our review was to assess whether selected controls at OCIO/NITC were in place\nand operating effectively in support of key USDA financial systems3 from October 1, 2011,\nthrough July 1, 2012, with a focus on the production and backup environments for the\nOCFO/NFC\xe2\x80\x99s EmpowHR application.\n\n\n\n\n2\n  A federated data center is a centralized data center, providing participating entities the ability to operate their own\nenvironment with a degree of independence in the overall management of their server infrastructure.\n3\n  Key USDA financial systems include EmpowHR, and agency specific financial systems for Rural Development,\nFarm Service Agency, Commodity Credit Corporation, and the Forest Service.\n\n\n                                                                            AUDIT REPORT 88401-0001-11                 3\n\x0cSection 1: Selected IT Controls Need Strengthening\nFinding 1: Selected IT Controls Need Strengthening\nDuring our review, we identified three control areas that need strengthening at OCIO/NITC.\nSpecifically, OCIO/NITC had not developed formal written policy and procedures for incident\nresponse; it did not create, track, and mitigate critical vulnerabilities identified during monthly\nscans through the use of Plan of Action and Milestones (POA&M); and protection from water\ndamage at an alternate processing site was lacking. These conditions occurred because\nmanagement believed alternative policies or practices in place were sufficient. As a result,\ncustomer systems could be vulnerable for the items discussed below.\n\n\xc2\xb7   We requested policies and procedures for incident response at OCIO/NITC. OCIO/NITC\n    was unable to provide a formal documented incident response policy. Instead, OCIO/NITC\n    provided the Department\xe2\x80\x99s Standard Operating Procedures (SOP) for Reporting Security and\n    Personally Identifiable Information Incidents.4 The purpose of the SOP is to document the\n    incident management procedures for the Department\xe2\x80\x99s Computer Incident Response Team,\n    which does not apply at the agency level. Departmental policy requires each agency to\n    establish, support, and maintain their own internal policies and procedures or assign a team to\n                                                                                       5\n    support prompt, effective, and efficient resolution of computer security incidents. Without a\n    formal documented incident response policy, appropriate action for a suspected security\n    incident could be delayed.\n\n\xc2\xb7   We analyzed monthly scan results of EmpowHR devices6 and subsequent remediation\n    activities for identified vulnerabilities and found that OCIO/NITC does not track and mitigate\n    critical vulnerabilities through the use of POA&Ms. Departmental policy requires all USDA\n    agencies to perform vulnerability scans on a monthly basis. It further requires a POA&M to\n    be developed, in accordance with Federal Information Security Management Act (FISMA)\n    reporting requirements, for any unresolved critical vulnerabilities existing more than 30 days\n    from the date of the scan.7 While we found that OCIO/NITC used its internal Remedy\n    system to track and remediate identified vulnerabilities, Remedy does not meet departmental\n    guidelines for FISMA reporting. Additionally, all policy exceptions must be submitted\n    directly to the Associate Chief Information Officer for Cyber Security. OCIO/NITC had not\n    obtained a waiver from the requirement to create POA&Ms. Without tracking vulnerabilities\n    in POA&Ms, departmental oversight can be hindered.\n\n\xc2\xb7   Additionally, we performed testing of OCIO/NITC\xe2\x80\x99s contingency planning controls for\n    OCFO/NFC\xe2\x80\x99s EmpowHR application and found the potential for water damage to system\n    devices at OCIO/NITC\xe2\x80\x99s alternate processing site, located at the George Washington Carver\n    Data Center, in Beltsville, Maryland. During a walk-through of the data center, we noted\n    overhead water pipes were present and staff did not have access to the water shut-offs.\n\n\n4\n  SOP-ASOC-001, Agriculture Security Operations Center Computer Incident Response Team: Standard Operating\nProcedures for Reporting Security and Personally Identifiable Information Incidents (June 9, 2009).\n5\n  Department Manual (DM) 3505-001, USDA Cyber Security Incident Response Procedures (March 20, 2006).\n6\n  Scan reports from October 2011 through February 2012.\n7\n  DM 3530-001, USDA Vulnerability Scan Procedures (July 20, 2005).\n\n\n4     AUDIT REPORT 88401-0004-11\n\x0c   Without access to a shut-off valve by data center staff or alternative compensating controls in\n   place, the risk of damage to system equipment is increased.\nRecommendation 1\n\nDevelop and implement formal documented incident response policy and procedures.\n\nAgency Response\n\nOCIO/NITC concurs and has created a POA&M to address this recommendation by\nDecember 21, 2012.\n\nOIG Position\n\nWe concur with management decision.\n\nRecommendation 2\n\nImplement the Department\xe2\x80\x99s POA&M process for critical vulnerabilities existing more than 30\ndays or, alternatively, obtain a waiver.\n\nAgency Response\nOCIO/NITC concurs and is currently identifying and evaluating vulnerability POA&M options\nthat ensure continued compliance with FISMA reporting requirements.\n\nOIG Position\n\nManagement decision should be achievable upon review of the specific plans and timeframes for\ncorrective action.\n\nRecommendation 3\nDevelop and implement compensating controls to mitigate the risk of water damage at the\nGeorge Washington Carver Data Center.\n\nAgency Response\nOCIO/NITC concurs and is currently implementing compensating controls to mitigate the risk of\nwater damage at the George Washington Carver Data Center.\n\nOIG Position\nManagement decision should be achievable upon review of the specific plans and timeframes for\ncorrective action.\n\n                                                            AUDIT REPORT 88401-0001-11         5\n\x0cScope and Methodology\nThe period of our review was from October 1, 2011, through July 1, 2012. OCIO/NITC provides\nmanaged hosting services to many customers internal and external to USDA, including the\nOCFO/NFC. As a provider of payroll/personnel and application hosting for all of USDA, as\nwell as approximately 130 non-USDA government agencies, NFC is subject to an annual\nStatement on Standards for Attestation Engagement No. 16 (SSAE 16) Controls review. The\nresult of the SSAE 16 review, along with results of testing at any subservice provider, has a\nsignificant impact on the financial statements of user agencies. Financial data processed by the\nNFC, along with additional agency-specific financial systems hosted by OCIO/NITC, are\nmaterial to the financial statements; therefore, controls over those systems play an integral part in\nassessing the completeness, accuracy, and integrity of USDA financial data.\n\nOur review focused on the specific controls8 managed by OCIO/NITC as a subservice provider\nfor OCFO/NFC\xe2\x80\x99s EmpowHR system. These controls, which are identified in Exhibit A, include\naccess controls, configuration management, and contingency planning. The controls tested were\nalso applicable to other key financial systems hosted at OCIO/NITC. We performed our review\nat the OCIO/NITC Data Center in Kansas City, Missouri and two alternate centers located in\nSt. Louis, Missouri and Beltsville, Maryland.\n\nWe obtained supporting documentation in the form of server settings, access logs/reviews,\ntraining records, and agency policies and procedures, as well as physical observations and\ninterviews with agency personnel. Our results were discussed with OCIO/NITC as we worked to\nobtain concurrence on exceptions noted.\n\nVarious Departmental Regulations and Manuals related to information technology security were\nutilized for this review. We compared the results of the audit tests against departmental, agency,\nand National Institute of Standards and Technology (NIST) guidance. Guidance used during the\ncourse of the audit included:\n\n      \xc2\xb7    NIST Special Publication 800-53 Revision 3, Recommended Security Controls for\n           Federal Information Systems and Organizations, August 2009\n\n      \xc2\xb7    DM 3505-001, USDA Cyber Security Incident Response Procedures (March 20, 2006)\n\n      \xc2\xb7    DM 3530-001, USDA Vulnerability Scan Procedures (July 20, 2005)\n\nWe conducted this review in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives.\n\n\n\n8\n    Controls listed in OCFO/NFC\xe2\x80\x99s System Description as managed by OCIO/NITC.\n\n\n6         AUDIT REPORT 88401-0001-11\n\x0cAbbreviations\nDM .............................. Department Manual\nFISMA ........................ Federal Information Security Management Act\nNFC ............................. National Finance Center\nNIST ............................ National Institute of Standards and Technology\nNITC ........................... National Information Technology Center\nOCFO .......................... Office of the Chief Financial Officer\nOCIO ........................... Office of the Chief Information Officer\nOIG ............................. Office of Inspector General\nPOA&M ...................... Plan of Action & Milestones\nSOP ............................. Standard Operating Procedures\nSSAE ........................... Statements on Standards for Attestation Engagements\nUSDA.......................... Department of Agriculture\n\n\n\n\n                                                                  AUDIT REPORT 88401-0001-11   7\n\x0cExhibit A: Office of Inspector General Tests of the Office of the Chief\nInformation Officer/National Information Technology Center Controls\n                                                                           Exhibit A \xe2\x80\x93 Page 1 of 6\n\n\n\n\n              The subsequent sections of the report's exhibit A (pages 8\n              through 13) are not being publicly released due to the\n              sensitive security content.\n\n\n\n\n8   AUDIT REPORT 88401-0001-11\n\x0c\x0cAgency\xe2\x80\x99s Response\n\n\n\n\n                    USDA\xe2\x80\x99S\n            NATIONAL INFORMATION\n             TECHNOLOGY CENTER\n           RESPONSE TO AUDIT REPORT\n\n\n\n\n14   AUDIT REPORT 88401-0001-11\n\x0c\x0cUnited States                                                                            September 21, 2012\nDepartment of\nAgriculture\n\nOffice of the Chief    TO:          Tracy A. LaPoint\nInformation Officer\n                                    Deputy Assistant Inspector General for Audit\nNational Information                Office of the Inspector General\nTechnology Center\n\n8930 Ward Parkway\nKansas City, MO\n64114-3363\n                       FROM:        Kent W. Armstrong /s/\nP.O. Box 419205                     Associate Chief Information Officer\nKansas City, MO\n64141-6205                          National Information Technology Center\n\n                       SUBJECT:     OIG Audit Number 88401-0001-11\n                                    Review of Selected Controls at the National Information Technology\n                                    Center\n\n\n                       The National Information Technology Center (NITC) has reviewed the draft report on the\n                       subject audit. Responses for the three recommendations follow.\n\n\n                       Recommendation 1:\n                              Develop and implement formal documented incident response policy and\n                              procedures.\n                              NITC Response: We concur with this finding. The NITC is in the process of\n                              documenting and implementing formal cyber incident response policy and\n                              procedures. NITC has created POAM number 18042 with an expected date of\n                              completion of December 21, 2012 to remediate the issue.\n                       Recommendation 2:\n                              Implement the Department\xe2\x80\x99s POA&M process for critical vulnerabilities more\n                              than 30 days old or, alternatively, obtain a waiver.\n                              NITC Response: We concur with this finding. The NITC is currently identifying\n                              and evaluating vulnerability POA&M options that ensure continued compliance\n                              with FISMA reporting requirements.\n                       Recommendation 3:\n                              Develop and implement compensating controls to mitigate the risk of water\n                              damage at the George Washington Carver Data Center.\n                              NITC Response: We concur with this finding. The NITC will implement\n                              compensating controls to mitigate the risk of water damage at the George\n                              Washington Carver Data Center. Estimated date of completion is 10/30/12.\n\x0cTracy A. LaPoint                                                               Page 2\n\n\nIf you have any questions, you may contact me at (816) 926-6501 or have a member of\nyour staff contact Greg Schmitz at (816) 926-2356.\n\ncc:    Jim Steven, Deputy Associate Chief Information Officer, NITC\ncc:    Denice A. Lotson, Audit Liaison, OCIO\ncc:    Kathy Donaldson, OCFO\n\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\n\nHow To Report Suspected Wrongdoing in USDA Programs\nFraud, Waste, and Abuse\nEmail: usda.hotline@oig.usda.gov\nPhone: 800-424-9121 Fax: 202-690-2474\nBribes or Gratuities:\n202-720-7257 (24 hours a day)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on the basis of race, color, national origin,\nage, disability, and where applicable, sex (including gender identity and expression), marital status, familial status, parental status, religion, sexual\norientation, political beliefs, genetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public assistance program.\n(Not all prohibited bases apply to all programs.) Persons with disabilities who require alternative means for communication of program information\n(Braille, large print, audiotape, etc.) should contact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD). USDA is an equal opportunity provider\nand employer.\n\x0c"